Electrical Grid Vulnerable to Hackers, House Told

Bureaucratic red tape is leaving the country's electrical grid open to a cyber attack, officials told a House subcommittee Thursday.

Bureaucratic red tape is leaving the country's electrical grid open to a cyber attack, officials told a House subcommittee Thursday.

The blackout that darkened a good chunk of the New York metropolitan area for several days in 2003 and cost approximately $10 billion in damages would look like a minor brownout compared a major cyber attack on the nation's electrical grid system, according to panelists that appeared before the House Subcommittee on Energy and Air Quality.

"The harm could extend not only to the economy and the health and welfare of our citizens, but event to the ability of our military forces to defend us, since many military installations rely on the bulk power system for their electricity," said Joseph Kelliher, chairman of the Federal Energy Regulatory Commission (FERC).

Current regulations, however, make it almost impossible for organizations like FERC to act in a timely manner after a viable cyber security threat has been identified, according to Kelliher. He is requesting that Congress give FERC the authority to take quick action on known cyber threats.

The Energy Policy Act of 2005 gave FERC the authority to approve reliability standards regarding the nation's bulk power system. But FERC can only approve standards; it cannot actually craft them. That job falls to the North American Electric Reliability Corporation (NERC), which worked with the industry to develop standards it presented to FERC in August 2006. FERC gave those standards its final approval in January 2008.

That type of timeline is acceptable for most issues relating to the nation's power system, but when it comes to possible cyber attacks, the government needs to be able to act within hours or days, not three years, Kelliher said.

FERC is limited by the paper shuffling and red tape created by the 2005 legislation. If FERC identifies a problem, it can order NERC to develop a solution within 60 days, but Kelliher said he is not sure NERC "could meet this schedule in practice."

Even if NERC does get its act together and come up with a solution in 60 days, FERC cannot alter the NERC proposal itself; FERC would have to send it back to NERC and re-evaluate it after it is re-submitted.

FERC "does not have sufficient authority to guard against national security threats to reliability of the electric system," Kelliher said.

The only other thing FERC can do is order NERC to issue a vague warning akin to the Homeland Security Department's color-coded threat level assessments.

But just as the average citizen might be puzzled by the color-coded DHS warnings, so were the heads of utility companies that received a 2007 NERC warning about a threat known as "Aurora."

A March 2007 simulated cyber attack conducted by DHS at the Idaho National Laboratory  codenamed Aurora - managed to remotely destroy a $1 million dollar large diesel-electric generator.

When FERC got wind of the vulnerability, it had NERC issue an advisory to 1,800 of the nation's utilities that warned them of the problem and asked that they voluntarily implement certain changes to prevent an attack.

"Because an alert is voluntary, it may tend to be general in nature and lack specificity," Kelliher said.

As a result, many utilities did very little after NERC's advisory. A FERC audit of thirty companies that received the warning found that only seven of the thirty were in full compliance. All thirty companies had taken steps, but their level of participation varied greatly, Kelliher said.

Utilities cooperated with the audit, but every single one requested additional information on what exactly they were protecting themselves against, he said.

As a result "work remains to be done and, in large part, the Aurora threat remains," Kelliher concluded.

What would help the problem? FERC asked the subcommittee to craft legislation that would allow it to issue interim standards relating to the Aurora threat that could be replaced later by more formal standards.

Kelliher also requested that FERC be allowed to issue emergency standards, as directed by the President or the Secretary of Energy, in order to address imminent threats.

"The threshold for a threat determination [should] not be so high as to be insurmountable," Kelliher warned.

He said FERC should also be able to compel utilities to make changes, and the commission's power should perhaps extend beyond the bulk power system, which at this point does not include Alaska, Hawaii, or local distribution facilities, which include major cities like New York and Washington, D.C.

The subcommittee has written draft legislation that covers many of Kelliher's concerns. The subcommittee will hold a closed, classified hearing next week on the issue with officials from the Central Intelligence Agency and the director of national intelligence, said chairman Rick Boucher, a Virginia Democrat.

"This is not an issue that we can take lightly or cover it up in just one hearing," Boucher said, but given the threats associated with Aurora, the chairman said he would like to move to bill to the full committee by next week.

Chloe Albanesius has been with PCMag.com since April 2007, most recently as Executive Editor for News and Features. Prior to that, she worked for a year covering financial IT on Wall Street for Incisive Media. From 2002 to 2005, Chloe covered technology policy for The National Journal's Technology Daily in Washington, DC. She has held internships at NBC's Meet the Press, washingtonpost.com, the Tate Gallery press office in London, Roll Call, and Congressional Quarterly. She graduated with a bachelor's degree in journalism from American University...
More »